Blog

Are you prepared to tell over 24 million customers there was a security breach at your organization?

Adobe has warned of a vulnerability in Adobe Reader on Windows through which your system could be attacked.

According to Adobe, a critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh.

“This U3D memory corruption vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in the wild in limited, targeted attacks against Adobe Reader 9.x on Windows. Adobe Reader X Protected Mode and Acrobat X Protected View mitigations would prevent an exploit of this kind from executing,” posted on Adobe’s security bulletin.

While this information could directly effect you, and I hope you take the needed precautions to make sure it doesn’t, this brings up an even greater point. You never know when and how an attack will happen, and you need to keep up-to-date on security news and information.

To stay updated and read more about these issues on Adobe’s sites:

Team blog at http://blogs.adobe.com/psirt or by subscribing to the RSS feed at http://blogs.adobe.com/psirt/atom.xml.

To find out how we can help you promote a secure environment and reduce the risk of a breach, ask about our security awareness programs.  For more information click here: Security Awareness.  You can also reach us at .(JavaScript must be enabled to view this email address) or 1-866-245-5224

Cisco recently announced that according to their global study, seven out of 10 young employees frequently ignore IT policies, and one in four is a victim of identity theft before the age of 30.

What does this say about a new generation of employees?

They need to understand the purpose of IT policies and the importance of these policies for both the organization and the individual. On-demand access to information is an essential part of this generation’s lives, and according to Cisco, these employees will do what they must to access the Internet, even if it compromises their company or their own security. This includes using or sharing their neighbors' wireless connections to save money on their own service or going to random businesses and accessing their connections.

While the use of others’ Internet may save some money, it comes at the expense of security. These same laptops used at Internet cafes and with the neighbor’s Wi-Fi are used to update business files and contact employees and clients. This opens the door for an organizational compromise with the use of unprotected Internet access.

This report supports why I believe on-demand security awareness training is vital for an organization. This generation needs to be aware of the risks and the measures needed to prevent a security compromise.

I know a college student who told me her university will insert students’ USB devices, left behind by accident in the computer lab, into one of their computers to see if the student’s name is on the device. The student is then notified via email that the device has been found. Students then re-enter them into their computers.

I see several concerns here. First, how does the university know the USB left behind is not a trap? This is placing university information at risk. Second, how does the student know someone did not take the USB while it was left behind and compromise the security of it? Then when they put it in their computers, a virus is downloaded. This generation seems to trust that no one would do such a thing until it’s too late.  While this can be seen as a college policy flaw, it can also be a reason why these students go into the professional world without a security conscious mindset.

They’ve been educated in their craft, but now they need to be educated in Security Awareness. Young professionals are a huge asset to an organization, and offering Security Awareness Training to them and showing them the importance of IT policies will enhance their professional development as well as their secure performance in your organization.

A few days ago, I read that Good Technology's first Bring Your Own Device (BYOD) report found finance and healthcare are among the top industries to adopt BYOD policies.

While these industries have some of the most need for security, I find it interesting they are opening the door for this policy.

According to Good, the rise in popularity and proliferation of smartphones and tablets has driven the "Consumerization of IT" with employee requests to use their personal, mobile devices for professional tasks. Because of this, IT departments are developing policies to allow employees to access confidential enterprise data and information with their own smartphones and tablets.

Here are the key findings from Good’s report:

1. Highly Regulated Industries Embrace BYOD: Large companies from the finance/insurance and healthcare industries dominate the overall BYOD picture, with retail/wholesale and government less likely to support BYOD.

2. Big Companies Get BYOD: 80 percent of those supporting BYOD have over 2,000 employees; 60 percent have over 5,000 employees; and 35 percent have over 10,000 employees.

3. Employees Are Willing to Pay for Personal Choice: 50 percent of companies with BYOD models are requiring employees to cover all costs, and their users are taking them up on the offer; 45 percent provide their employees with a stipend or "expense back" options to help subsidize the cost of their mobile device or service plan.

4. Offering BYOD Stipend Increases: Companies that offer BYOD stipends have the highest rate of employees using mobile devices when compared to companies that require employees cover all BYOD costs themselves, or allow for expense-back of service plan costs, but limit to users with management pre-approval.

5. BYOD Goes Global: Many believe that BYOD "doesn't work" outside U.S. due privacy laws or greater exposure to highly variable roaming costs. Our data clearly shows otherwise – with nearly half (44.9 percent) of respondents indicating they are deploying BYOD programs in multiple countries.

Online perpetrators are not taking holiday vacations this year

This holiday season, as gifts are purchased online and in stores across the world, unfortunately some see this as an opportunity to steal your online banking credentials. So while you shouldn’t be scared to buy Grandma that scarf she’s been wanting, you do need to be weary about a new spear phishing campaign.

The FBI Denver Cyber Squad released information on the new campaign that involves personal and business bank accounts, financial institutions, money mules and jewelry stores:

“The campaign involves a variant of the ‘Zeus’ malware called ‘Gameover.’ The spam campaign is pretending to be legitimate emails from the National Automated Clearing House Association (NACHA), advising the user there was problem with the ACH transaction at their bank and it was not processed. Once they click on the link they are infected with the Zeus or Gameover malware, which is able to key log as well as steal their online banking credentials, defeating several forms of two factor authentication.”

Okay, so how do you stay away from this trick and others like it?

Well, here are three simple tips to remember this holiday season to be sure you do not take the bait:

1. Be weary of emails from senders that you have never seen before. Even if the subject line is tempting with an urgent call to action, look at the source and be cautious of the sender.

2. Understand your bank’s policy on communication, and call your bank if a message seems urgent to confirm the email’s validity.

3. If you think you are sure the link is okay to use, still copy and paste it in a search engine to see if it is linked to a valid site. If someone has reported it as spam, it may appear at the top of the organic search, and you will know that it is a good possibility to be fraudulent.

For more information on this FBI investigation and campaign details click here.

The most effective way to keep your users safe is to provide annual Security Awareness Training to help them identify and avoid threats.  Check out our Security Awareness Training course to get started.